Zafran Security disclosed four authorization vulnerabilities in Dify (open-source agentic AI platform) under the DifyTap research label, affecting versions prior to 1.14.2. Two of the four CVEs carry critical CVSS scores (9.1 and 9.4 per vendor disclosure) and enable cross-tenant AI conversation read access, internal Plugin Daemon API traversal, and unauthenticated document exfiltration. Three of four flaws are addressed in v1.14.2; CVE-2026-41948 (path traversal) remains unpatched as of this analysis. Note: CVE IDs CVE-2026-41947 through CVE-2026-41950 are attributed with medium confidence pending NVD publication.